The phpCAS library provides a simple API for authenticating users against a CAS server. phpCAS is configured using the static API methods such as
The examples below show a variety of ways to utilize the phpCAS library. All examples can be found in the distribution packes and can be downloaded from the Examples directory in source control
A simple CAS client
phpCAS can be used the simplest way, as a CAS client
Run-time behaviour configuration
When setting up a CAS proxy client, some runtime behaviour can be easily configured.
Setting the language for error pages or notifications
Changing the html style of error pages and notifications
A CAS proxy
phpCAS can also make a PHP script act as a cas proxy client. The phpcas client get a proxy ticket from the cas server and uses it to access external services in your name. (calling external services). The proxy client has support for cookies and can be used for sessions etc.
A CAS proxy using serviceWeb()
A CAS proxied service
An example service (also CAS client) to be called from the example_proxy_serviceWeb. This example also uses the session for a simple counter.
CAS proxies can be chained
A CAS proxy client can also be a proxied itself
The ProxiedService system
As of phpCAS 1.2.2 new of ProxiedService classes are available that provide access to making proxy-authenticated requests via HTTP GET, HTTP POST, IMAP, and in the future SOAP, XML RPC, etc.
The HTTP GET Proxied Service is equivalent to serviceWeb(), but provides an exception-based API.
The HTTP POST Proxied Service allows clients to make proxy-authenticated POST requests.
The IMAP Proxied Service is equivalent to serviceMail(), but provides an exception-based API.
Clients should use the following CAS_ProxiedService_Imap methods:
PGT storage configuration
The necessary storing of Proxy Granting Tickets PGT for proxy functionality can be configured
Onto the filesystem
Only check authentication (gateway)
The possibility of using the CAS gateway feature (see http://www.ja-sig.org/wiki/display/CAS/gateway)
Handle logout requests from the CAS server
Support for central logout (Single Sign Out) was added in release 1.0.0.
By default phpCAS by default only handles requests that emanate from the CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). Failure to restrict SAML logout requests to authorized hosts could allow denial of service attacks where at the least the server is tied up parsing bogus XML messages.
To disable access control on logout requests, use:
The hosts allowed to send logout requests can also be passed in an array which might be usefull in with clustered cas servers:
SAML Protocol with Attribute Release
An advanced exmaple using the SAML protocol with attribute release and single logout.
Custom validation URLs
The following example shows how to configure a non-standard url for ticket validation. This feature is supported in phpcas since version 1.1.0RC2. The validation urls can be set for service, proxy and saml validation.